Friday, October 18, 2013

Authentication System Design Pattern

The following are PHP scripts that can serve as design pattern for an application authentication system.

This is the "login.php" file that serves as the HTML login form. 


<?php
echo "
<center>
<form method='post' action='authenticate.php'>
<fieldset>
<legend> Login </legend>
<table border='0'>
<tr>
<td rowspan='3'><img src='../img/emblem-keys.png'></td>
<td>Username</td><td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password</td><td><input type='password' name='wordpass'></td>
</tr>
<tr>
<td>   </td><td><input type='submit' value='Login'><input type='reset' value='Reset'</td>
</tr>
</table>
</fieldset>
</form>
";
?>
This is the "authenticate.php" file that is executed after the HTML login form. 


<?php
session_start();
include_once('db_postgresql.inc.php');

$sql1 = "SELECT COUNT(*) AS numfound FROM webappuser WHERE username='{$_POST['username']}' AND wordpass='{$_POST['wordpass']}' AND access_level='1' AND record_state='1'";
$result1 = $con->query(''.$sql1.'');

// Login Logic
$my_array1 = $result1->fetch(PDO::FETCH_ASSOC);
if ( $my_array1 ['numfound'] < 1 ) // Login Failed
	{
	$delay = 0;
	$url = "unauthorized.php";
	echo "<meta http-equiv='REFRESH' content='$delay;url=$url'>";
	exit;
	}

// Get the login information from the user	
$sql2 = "SELECT username, wordpass, access_leve, record_state FROM webappuser WHERE username='{$_POST['username']}' AND wordpass='{$_POST['wordpass']}' AND access_level='1' AND record_state='1'";
$result2 = $con->query(''.$sql2.'');
$my_array2 = $result2->fetch(PDO::FETCH_ASSOC);

// Register authentication information in the session
$username = $my_array2['username'];
$wordpass = $my_array2['wordpass'];
$access_level = $my_array2['access_level'];
$_SESSION["u_id"] = $u_id;
$_SESSION["username"] = $username;
$_SESSION["wordpass"] = $wordpass; 
$_SESSION["access_level"] = $access_level;

// Go to the welcome page
$delay = 0;
$url = "welcome.php";
echo "<meta http-equiv='REFRESH' content='$delay;url=$url'>";
?>
This is the "unauthorized.php" file that is called by the authentication system if username and password does not match. 


<?php
session_destroy();
echo "
<center>
<form method='post' action='authenticate.php'>
<fieldset>
<legend> Login </legend>
<table border='0'>
<tr>
<td rowspan='3'><img src='../img/emblem-keys.png'></td>
<td>Username</td><td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password</td><td><input type='password' name='wordpass'></td>
</tr>
<tr>
<td>   </td><td><input type='submit' value='Login'><input type='reset' value='Reset'</td>
</tr>
</table>
</fieldset>
</form>
<br>
<font color='red'><blink><b>Unauthorized ...</b></blink></font>
</center>
";
?>
This is the "logout.php" file that is called when the user clicks on a logout button. 


<?php
session_destroy();
echo "
<center>
<form method='post' action='authenticate.php'>
<fieldset>
<legend> Login </legend>
<table border='0'>
<tr>
<td rowspan='3'><img src='../img/emblem-keys.png'></td>
<td>Username</td><td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password</td><td><input type='password' name='wordpass'></td>
</tr>
<tr>
<td>   </td><td><input type='submit' value='Login'><input type='reset' value='Reset'</td>
</tr>
</table>
</fieldset>
</form>
<br>
<font color='red'><blink><b>You have been logged out...</b></blink></font>
</center>
";
?>
This is the "db_postgresql.inc.php" database connection file that is included in PHP page whenever it needs to connect to the database. The assumption here is the application is connected to a PostgreSQL database system. You can change this to whatever database brands you prefer. Furthermore, the database named "mydb" will have a table named "webappuser" with a minimum of four fields, namely: (i) username, (ii) wordpass, (iii) access_level, (iv) record_state. In like manner, you can modify this to suit your needs. 


<?php
$host = "localhost";
$user = "postgres";
$pw = "wordpass123";
$db = "mydb";
# Using pg PDO
# Connection Check
try {
    $con = new PDO('pgsql:host='.$host.';dbname='.$db.'', $user, $pw );
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    #echo "Database Status:  <font color='green'><blink><b>Connected...</b></blink></font><hr />";
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}
?>
This is the "secure.php" file that can be added at the top of any of the PHP file that you want protected from unauthorized users. 


<?php
ini_set( "display_errors", 0);
session_start();
include_once( 'db_postgresql.inc.php' );
$username = $_SESSION["username"];
$wordpass = $_SESSION["wordpass"];

$sql1 = "SELECT COUNT(*) AS numfound FROM webappuser WHERE username='$username' AND wordpass='$wordpass' AND access_level='1' AND record_state='1'";
$result1 = $con->query(''.$sql1.'');
$my_array1 = $result1->fetch(PDO::FETCH_ASSOC);

// Login Logic
if ( $my_array1 ['numfound'] < 1 ) // Login Failed
	{
	$delay = 0;
	$url = "unauthorized.php";
	echo "<meta http-equiv='REFRESH' content='$delay;url=$url'>";	
	exit;
	}
?>
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)